You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use CUPS with winbind (for determining group membership of domain users). Since samba 4.2 "winbind enumerate groups" parameter is 0 by default. So "getent group somegroup" doesn't return any members. This makes CUPS AllowUser with "@" statements work only with primary groups of users.
As I see in scheduler/auth.c CUPS (2.1.3) loops through members of group instead of just looping through current user's group list (getgrouplist.3) which is much faster I suppose, especially when comparing to groups containing hundreds of users.
In smb.conf(5) this behavior is called "broken applications". I think it's true for this case, at least when talking about performance.
Also, I have to say that many distributions have updated samba major versions (e.g. 4.1-> 4.3) after bad lock vulnerability - so this issue could affect many current installations of CUPS+winbind. smb.conf workaround is trivial, but I think this change should be included to the next release.
Thanks for attention.
Version: 2.2-feature
CUPS.org User: twaugh.redhat
I've had a report that using getgrnam() can be unreliable:
https://bugzilla.redhat.com/show_bug.cgi?id=1204379
and that the more common case of count(groups user is in) < count(users in group) would be speeded up by the use of getgrouplist().
A patch is available at the original bug report. What do you think about this general approach?
The text was updated successfully, but these errors were encountered: